Solved: bypassing user mode when logging in to a router

axfalk · ‎12-10-2007

when accessing one of our routers via vty, a user gets right into the enable mode, bypassing the user mode...here is the vty config in the router:

line vty 0 4

access-class 23 in

privilege level 15

password hello

transport input telnet

Anybody has any ideas what may be going on here?

thanks...

Edison Ortiz · ‎12-10-2007

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

View solution in original post

bruce.porter · ‎12-10-2007

I think you need to put login local in the config. You may want to apply it to vty 0 15 as well, in case someone screws up the lower 5 ports with some kind of DOS. There might be a quicker timeout that could be applied to the vty 15 port as well...

Also you might want an auto disconnect after some inactivity period, 60 minutes.

exec-timeout 60

login local should be applied to unused ports as well. Even without a password. This ensures that no one can use the port, even if there is no password applied to the port.

Merry Christmas..

axfalk · ‎12-10-2007

Buce, Thanks for your response...What's so strange is that we have another router with exactly the same vty config (i.e. no login statement) and it's not throwing an incoming user directly into the enable mode, like this router is doing...Is there a command somewhere in the router config, besides the vty config, that may impact what mode a user is getting?

thanks again...

Edison Ortiz · ‎12-10-2007

Change the privilege level to a value lower than 15.

axfalk · ‎12-10-2007

Thanks to both responses....

<< Change the privilege level to a value lower than 15.>>

Why is that?

axfalk · ‎12-10-2007

Sorry, but one factor I omitted was that we're using TACACS+ for authentication...

Thanks again...

Edison Ortiz · ‎12-10-2007

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

axfalk · ‎12-10-2007

thanks...on a related subject, what makes vty to authenticate a user against a TACACS+ server as opposed to the local vty password?

thanks again

Richard Burts · ‎12-10-2007

Greg

It depends on how you configure AAA on the router (or switch). There are options that you can configure to have the router authenticate with TACACS, or to have it authenticate with local authentication, or to have it do both so that it attempts to authenticate with TACACS and if TACACS is not available then to do local authentication. I believe that the combination of trying TACACS and have local authentication as a fallback is the better solution.

You can set it up so that some connections (perhaps PPP connections on a remote access server) authenticate with TACACS while other connections (perhaps your vty) authenticate with local password.

HTH

Rick

HTH

Rick